An independent report supports the privacy of 1.1.1.1, Cloudflare's free DNS

An independent report supports the privacy of 1.1.1.1, Cloudflare’s free DNS

ByEthan Collins

Cloudflare has published a independent report on 1.1.1.1your public DNS resolution service, and the main conclusion is in your favor. As mentioned in the document, the system controls were “properly designed and operated effectively” throughout 2024 to meet the privacy commitments that the company had made public. In practical terms, the review supports that the service performed in accordance with those promises during the period analyzed.

It is best to first clarify what we are talking about. 1.1.1.1 is Cloudflare’s public DNS servera service that allows domain name queries to be sent to the company’s infrastructure instead of using the operator’s or another third party’s default DNS. In practice, when the user types a web address, that query can go through 1.1.1.1. In addition, its name has become even more popular because Cloudflare integrates it in its 1.1.1.1 application with WARP, known by many users for its usefulness in avoiding network blocks, as we already explained in our guide on how to use WARP, Cloudflare’s free VPN.

The fact that it is free matters because, in services of this type, it is always worth asking what the real return is for the company and whether the business model could be based on the exploitation of data. In this case, the examination signed by KPMG maintains that, at least between January 1 and December 31, 2024, Cloudflare met defined control objectives and that his statement about those measures is correctly expressed. Wow, they don’t lie about their privacy standards.

What exactly the report says about user data

The most important part of the document is the commitments that Cloudflare declares for 1.1.1.1 and how they are audited. The company claims that will not sell or share personal data of users to third parties nor will it use that data to target advertising. It also maintains that it does not retain the full source IP address of DNS queries in non-volatile storage, except for a very small random sample of network traffic captured for diagnostic and denial-of-service attack mitigation purposes.

That nuance is important. The report explains that edge infrastructure can randomly record maximum 0.05% of packages using Netflow or sFlow to analyze volume and network flows, but without including the useful content of the DNS query and without associating that data with the information of the DNS query itself. Additionally, that sampled data is retained for a maximum of 60 days.

In normal operation of the resolver, the user’s source IP is anonymized by truncation. For IPv4 the last octet is removed and for IPv6 the last 80 bits, and that truncated IP must be removed within a maximum period of 25 hours. The report also includes as a control objective that syslog is disabled on edge routers for accepted Public Resolver requests and that logical access to system configurations is restricted to authorized users, with changes approved, tested and authorized before reaching production.

An external audit at a delicate moment for Cloudflare in Spain

The publication of this report comes in a particularly sensitive context for Cloudflare in Spain, where the company has been at the center of the conflict due to the blocks linked to LaLiga. In recent months we have talked about both how LaLiga has threatened legitimate Cloudflare customers and the role that WARP has taken among those seeking to avoid these blocks. This has boosted the brand’s visibility, but has also put more focus on the type of data its infrastructure handles.

That is why this document has value beyond the purely technical. It doesn’t prove that Cloudflare is flawless on all fronts, nor does it automatically make 1.1.1.1 a perfect tool, but it does provide a much stronger foundation than just a corporate promise. It’s not just Cloudflare ensuring it protects privacybut rather an external report concluding that its controls over the resolver worked as defined throughout 2024.

In a market where many free services force us to look closely at the business model, this detail is not minor. 1.1.1.1 is still free and it will still be reasonable to wonder where the return for Cloudflare comes from. Probably, for the company this is a service that is more related to the discovery and strengthening of the brand than to a platform from which to obtain maximum profitability.

Ethan Collins
Ethan Collins

As a dedicated tech enthusiast and writer at IRC Junkie, I explore the latest innovations in software and hardware. With a background in computer science, I thrive on simplifying complex technological concepts for our readers. My goal is to inspire curiosity and understanding in the ever-evolving world of technology.